Missing Headers;
Strict-Transport-Security
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
ect.
I try to hardening the header by a .htaccess file, but it doesnt work.
This sounds like a site for if you can self-hosting. Can you tell us what you are trying to achieve? Also, make sure you created a new .htaccess file in the /htdocs folder, and that you are not editing the one in the folder root.
Thanks!
Setting headers through either .htaccess rules of PHP should just work fine.
But note that some online validation tools may not see it because they are stopped by this:
this is the .htaccess file
#START HTTP Security Header
#Content Security Policy - CSP-HEADER
# Lade Inhalte nur von Seiten die explizit erlaubt sind
# Beispiel: Alles von der eigenen Domain erlauben, keine Externas:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';"
#Permissions-Policy
Header set Permissions-Policy "accelerometer=(); autoplay=('self'); camera=(); encrypted-media=(); fullscreen; geolocation=('self'); gyroscope=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=('self'); usb=()"
Header set Content-Security-Policy: upgrade-insecure-requests
Header set Cross-Origin-Resource-Policy: same-origin
Header set Cross-Origin-Opener-Policy: same-origin-allow-popups
Header set Cross-Origin-Embedder-Policy: require-corp
Header set Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups
#HTTP Content-Types
AddCharset UTF-8 .html
AddType 'text/html; charset=UTF-8' html
#Public Key Pins
Header set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"
#Strict-Transport-Security
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
#X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
#X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
#X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
#Referrer-Policy
Header set Referrer-Policy "no-referrer"
#CORS Enabled
Header set Access-Control-Allow-Origin 'origin-list'
#Disable server signature
Header unset X-Powered-By
ServerSignature Off
RewriteCond %{QUERY_STRING} PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
#END HTTP Security Header
this is the test service
how I can test the http header security?
With an another security scanner I got a security problen by DOMXSS-Sources
https://siwecos.de/wiki/DOMXSS-Sources
I wannna realize a login without js and a secure header. How I can do and test this?
thanx
I’m not sure you can. If there is a security scanner than executes Javascript, then it should work, but I don’t know if they exist.
But you can just open the site yourself, check the Network tab and view the response headers there. If those match what you’ve set in the .htaccess file, then your rules are probably good.
Ok, thanx a lot for this fast answer, I will do further research. At least one question ,is it possible to get a list of working .htaccess directives?
I don’t have a list of that, no. That said, most popular .htaccess statements should be supported. So most mod_rewrite stuff, adding headers, blocking IPs and so on should all be possible.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.